Connect Microsoft Entra ID/Azure AD
Microsoft Entra ID, formerly Azure Active Directory, is a cloud-based service for identity and access management of applications hosted in Microsoft Azure as well as applications running in other cloud or on-premises environments. Entra ID offers features such as Single Sign-On, Multi-Factor Authentication, Self-Service Password Reset, Conditional Access Policies, and Identity Protection. With Entra ID, organizations can centrally manage their users, groups, and devices and control access to their resources.
The OPC Router 5 Web Management allows user management and authentication through Entra ID by integrating Entra ID.
This guide assumes the presence of an existing Microsoft Entra ID tenant.
For OPC Router to use Entra ID, a new registration must be added to the application registrations of your Microsoft Entra ID tenant.
The appearance and navigation of the Microsoft Entra ID interface may vary.
On the App registrations (1) tab of your Microsoft Entra ID tenant, you can create a new application by clicking on New registration (2).
The appearance and navigation of the Microsoft Entra ID interface may vary.
It is important to customize the application's Redirect URI. In the dropdown list (1), select Web. In the Address (3) field, configure the address where the Web Management is accessible. This must be a valid https (2) address of the Web Management; otherwise, it will not be allowed. The SSL certificate does not need to be issued by a certification authority; self-signed certificates are also permissible. Learn how to set up HTTPS for your OPC Router Web Management here:
Additionally, the Endpoint (4) must pass the configured login request path. This is /signin-oidc by default but can be overridden by the AZURE_AD_CALLBACK_PATH environment variable if needed.
The newly created application needs further configuration to enable successful authentication via Microsoft Entra ID.
The appearance and navigation of the Microsoft Entra ID interface may vary.
To do this, on the App registrations (1) tab, under the All applications (2) group, select your newly created application (3).
The appearance and navigation of the Microsoft Entra ID interface may vary.
On the Authentication (1) tab, there is a checkbox for ID token (2), which must be enabled for the Web Management user management to work with Microsoft Entra ID. Save (3) this configuration change.
In your Entra ID tenant, you can now navigate to your configured application under Enterprise applications and use the Users and groups tab for user management.
Creating OPC Router 5 Containers with Entra ID Integration
To connect OPC Router with Entra ID, three pieces of information from the tenant must be available: the Application ID, the Directory ID, and a domain under which the Entra ID configuration is accessible.
The appearance and navigation of the Microsoft Entra ID interface may vary.
The Primary domain (3) can be found in the Overview (2) tab of your Entra ID tenant.
The appearance and navigation of the Microsoft Entra ID interface may vary.
The Application ID (2) and the Directory ID (3) are displayed on the Overview (1) tab of the created application registration.
With this information, you can now execute a Docker run command that creates an OPC Router container with a connection to Entra ID:
docker run -d \
-e OR_I_ACCEPT_EULA=true \
-e AZURE_AD_DOMAIN=domain.onmicrosoft.com \
-e AZURE_AD_TENNANT_ID=1111111-1111-1111-1111-1111111 \
-e AZURE_AD_CLIENT_ID=1111111-1111-1111-1111-1111111 \
--name opcrouterentra \
opcrouter/runtime
By running the command and setting the environment variable OR_I_ACCEPT_EULA to true, you agree to the End User License Terms.
Enter your (primary) domain into the AZURE_AD_DOMAIN environment variable, your directory ID into the AZURE_AD_TENNANT environment variable, and your application ID into the AZURE_AD_CLIENT_ID environment variable.
For Entra ID authentication to work, HTTPS must be set up on the container. The necessary settings have been omitted here for demonstration purposes. The unaltered command is therefore not executable.
After successful setup, a button for logging in via Azure AD/Entra ID (1) should appear below the login button. Users added through the Entra ID tenant can use this button to log in.